We are seeing extremely slow performance when logging in with Active Directly credentials into the CMA Desktop Client.
When looking at Jserver logs, it seems theres a HUGE amount of entries relating to failed searches.
I believe the issue we are seeing I believe relates to how our AD is setup. Essentially we are part of a very large domain, which consists of many OUs hanging off the root level of the domain. Our institution has 6 OUs hanging off that root level of the tree.
So in the CMA we set it up as follows:
for our baseDN we pointed it to the root level of the domain (actually left it blank so it defaults to root level?).
We have an exlusuion filter that points to a group we setup that includes users we want to allow access.
This all works, but is extremely slow. From what I can guess/tell, everytime the CMA client does anything (like search the address book, login, etc..) it does a search or searches of AD for information. It seems to search all of AD for information, which seems to take forever. We are seeing 8-10 second delays in the client when logging in, searching the address book, or even placing a call.
So my question is if there is a better way to configure it, given that we cannot change our AD structure? Ideas we've had, but not sure if possible:
- Specifying mulitiple baseDNs. Doubt we can do this. In our case, we'd have to specify 6 baseDNs.
- Restrict the CMA's AD user credentialst to only be allowed to search our 6 OUs?
- Remove the exclusion filter. I've seen notes on where that can slow things down seemingly.